The Via header is one of the important headers for signalling end-to-end
path properties for an HTTP request and response.
Traditionally Squid has used it for forwarding loop detection and
prevention. However, it also carries the feature of relaying
This header is becoming important to relay promises end-to-end security
in the presence of HTTPS interception I would like your opinions on
removing the current "via off" configuration setting behaviour from
Squid. It is way too blunt a tool for the HTTP protocol
permitted/forbidden things regarding this header.
* for admin needing protect internal hierarchy info - we are supposed to
compact a set of Via entries down to one label at the exiting gateway.
* for admin and users wanting anonymity - we are permitted to replace
the proxy hostname with a opaque label.
In none of the above cases are we permitted to erase the Via header
entirely or omit adding to it. Doing so is direct violation of a MUST
requirement and could lead to several nasty DoS or security problems.
So my proposal for now is to modify the "via" config option to toggle
whether or not Squid compacts a series of semantically identical Via
entries down to one opaque blob or not. Hops are considered identical if
their protocol name and version are identical.
For example:
Via: 1.0 foo, 1.1 internal.example.com, 1.1 localhost.example.com
becomes
Via: 1.0 foo, 1.1 example.com
Opinions?
Amos
Received on Sat Apr 20 2013 - 11:53:19 MDT
This archive was generated by hypermail 2.2.0 : Sat Apr 20 2013 - 12:00:16 MDT